Privacy statement coronavirus testing

Testing for the coronavirus and communicating the results
It is important that we properly secure your data. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).

Who works with your personal data?
GGD GHOR Nederland manages the CoronIT IT system for the GGDs. The GGDs are responsible for your personal data if you take a coronavirus test. We use this system to use and store your personal data. We follow all laws as we do this. This means that we handle your personal data properly and safely. We must also tell you what data we have about you, what we do with it, and who works with it. We share your data with the following organisations:

The GGD: Local GGD departments and GGD doctors (called the GGD in this document)
GGD GHOR Nederland
The laboratory that works with your coronavirus test
The IT provider (Topicus) of CoronIT and its sub-processors
Teleperformance call centre

Did you make an appointment for a coronavirus test through the call centre, the coronatest website or a doctor? Then your personal data will be transferred to CoronIT. CoronIT is the administration system for the test process and communication. It lets the GGDs see whose test result it is. Normally, the GGD GHOR cannot see this unless there is a problem that our Service Desk needs to solve. Then we will be allowed to see this data for our Service Desk work. The picture below shows where your data goes.

What happens to your personal data?
We use your personal data to be able to run a coronavirus test. We also use it to tell the GGD and you about the test result. Would you like to know which personal data we ask for? And what else we use it for? Please take a look at the section below called What else do we use your personal data for? Here is a brief description of what happens to your personal data.

You get symptoms that could be related to coronavirus, such as coughing, a fever, shortness of breath, a sore throat, or a lower ability to smell or taste. You therefore decide that you want to be tested.
You register for a test through the coronatest website. You then choose from three possible times. You can also call the call centre to make an appointment. The call centre may tell you to contact the GGD. If a doctor thinks you need a coronavirus test they will make the appointment for you. You don’t have to book an appointment yourself.
You get the coronavirus test. Your test goes to a laboratory for examination.
You can see the result of the test on the coronatest website. Or you might receive a phone call to tell you the result. If the result is positive and you are infected with coronavirus the GGD will contact you.
Do you have coronavirus? Then the GGD will talk to you about the next steps. For example, you might have to stay at home for a while. And you might not be allowed to have contact with other people. This is called quarantine. They will also look into who you have been in contact with and how you got the infection. This is called source and contact tracing.
Have you been tested and do you want a certificate to prove you had a negative test result? Or do you want proof of recovery or a vaccination certificate? You may need this to travel or go to an event. Then you can use the CoronaCheck application. You can get a QR code for your certificate in this app. Do you want to know more about your privacy in the CoronaCheck application? Read the privacy statement for the CoronaCheck application.

See below for more information about all of the steps.

STEP 1: You sign up for a test

You can make an appointment in 3 ways:

Through the coronatest website.
Through the call centre.
Through a company doctor.

Signing up through the coronatest website

You can go to the coronatest website and tell us which symptoms you have. If you have symptoms that are related to coronavirus, we will ask you a number of questions. For example: have you been in contact with people who were infected with coronavirus?

You can then log in with your DigiD and choose a date, time and test location. We will also ask you for your phone number and email address. That way, we can send you confirmation and contact you if needed. You will receive confirmation of your test appointment by email and text message.

Signing up through the call centre

You can call the call centre to make an appointment. The employee at the call centre will register your personal data. Then they will make an appointment for your coronavirus test. You will receive confirmation of your test appointment by email and text message.

Signing up through a company doctor

A doctor may check to see whether you need a coronavirus test. If you do, they will register your personal data. They will then book an appointment for your coronavirus test. You will receive confirmation of your test appointment by email and text message.

STEP 2: You take the test

The GGD does the coronavirus test. First, they look up your personal data in their administration system. Then they make sure that this data is linked to the test tube with your test and the barcode on it.

A GGD employee will do the test for you. They will put a cotton swab with cells from your nose and throat into the test tube.

STEP 3: Your test goes to the laboratory

The test tube is placed in safe packaging. A courier then takes the test tube to a laboratory.

STEP 4: They analyze your test

The laboratory will then analyse the coronavirus test. The result of this test might be:

Positive: you are infected with coronavirus.
Negative: you are not infected with coronavirus.
The test is not clear.

The laboratory will enter the result in the administration system.

STEP 5: You get the result

The laboratory will tell the administration system which result belongs to which barcode. This links the barcode back to your personal data. Then you get the result. This can be done in the following ways:

A doctor, the GGD or a call centre employee will contact you and tell you the result.
You will receive an email saying that your result is ready and you can see it on the coronatest website. If the result is positive and you are infected with coronavirus, the GGD will contact you. The GGD will also talk about the next steps with you.

STEP 6: Proof of negative test result
Have you been tested and do you want to be able to prove you have a negative test result? Or do you want proof of recovery or a vaccination certificate? You may need this to travel or go to an event. Then you can use the CoronaCheck application. You can get a QR code for your certificate in this app.

If you are not able to pick up a QR code in the CoronaCheck app, click here for more information.

Is your data incorrect? Or do you have questions about your data? The GGD GHOR Nederland’s back office can check your data and correct it if needed. Contact the back office at 0800-5090.

Do you want to know more about your privacy in the CoronaCheck application? Read the privacy statement for the CoronaCheck application.

What else do we use your personal data for?
It is important that we know how many infections there are in the Netherlands and how many tests have been done. We use your data to find this out, but in a general, anonymous way. This means that we don’t see any of your personal data in the information. Your data might also be used for scientific research. This is also done anonymously, and it follows the rules that apply to scientific research.

We will ask you for your permission if we want to record your telephone conversation with a call centre employee. We will only record the conversation if you give us this permission. We use these recordings to help improve our work. We also use something called ‘automatic speech analysis’ to do this. Here’s how it works. The computer ‘listens’ to the recording of your telephone conversation and looks for specific words. This helps us to select recordings of telephone conversations to check. We check for things like employee fraud or employees who give medical advice when they shouldn’t. It also helps us understand why somebody was not able to make an appointment. This helps us to do our work better.

When do we send your data to other organisations?
In some situations we send data related to you to other organisations. Can people find out from this data that it is linked to you? Then we will only send it if you have given your permission. Or if the law says that we have to.

We send your data to these organisations:

Statistics Netherlands (CBS). We send them data so that they can track the coronavirus pandemic.
National Institute for Public Health and the Environment (RIVM). We send them data that the law says we have to send to them. We also send them data for research.
National Coordination Team Diagnostic Chain (LCDK). We send them data so that they can arrange coronavirus testing in the Netherlands properly.
The Ministry of Health, Welfare and Sport (VWS). VWS is responsible for the CoronaCheck app. If you ask to see your data via the CoronaCheck app, it will be shared with you.

What personal data do we use?
We need your personal data to run the coronavirus test properly. And to let you know the result.

These are the types of personal data we need from you:

Your first and last name
Your address, or the address you use when you are not at home. For instance, this might be your address while you are on vacation.
Your date of birth
Whether you are male, female, unspecified or unknown
Your Citizen Service Number (BSN)
Your phone number
Your email address
Your symptoms
Your test tube barcode
The result of your coronavirus test
Perhaps the name of the doctor asking for the test
Whether you have had direct contact with others
Whether you have worked, and if so, in which type of job you work

You log in to the coronatest website with your DigiD. This will help you make your appointment securely. It will also let us know who is making the appointment. We will not be able to see your DigiD username or password.

Priority line
Do you work in education or healthcare and can you make an appointment through the priority line? If so, we will ask for some extra information to verify this. This may include an AGB code or a BRIN number. If you don’t have the verification information we need, you will need to use 0800-1202 or make an appointment online.

What laws apply to the way we use your personal data?
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. We have to report our test results to the National Institute for Public Health and the Environment (RIVM). This is stated in the Wet publieke gezondheid (translated here as Public Health Act).

The laws that apply here are:

Wet publieke gezondheid (translated here as Public Health Act), Article 6, paragraphs 2 and 4.
Besluit publieke gezondheid (translated here as Public Health Decree), Article 11, paragraph 1.

We will only record the conversation with the call centre employee if you give us permission. We will ask you this before the conversation starts. The law that applies is GDPR Article 6, paragraph 1a and Article 9, paragraph 2a.

If you contact GGD GHOR Nederland’s back office to check the data used for your test certificates or proof of recovery, the telephone conversation will be recorded. We do this to make sure any complaints are handled properly. We record the conversations on the basis of Article 6, paragraph 1f of the GDPR.

How long do we keep your personal data?
We keep your personal data for a maximum of five years. This is allowed by the Wet publieke gezondheid (translated here as Public Health Act). After this time, we destroy the data or make it anonymous.

During the coronavirus test, an employee will use a cotton swab to remove cells from your nose and throat. This cotton swab is sent to a laboratory to be tested. How long the laboratory keeps the cotton swab depends on the result of the test:

You don’t have coronavirus? The laboratory will destroy the sample from your test within a few days.
You do have coronavirus? Then the laboratory can keep the sample from your test for 3 months. The laboratory uses your test to see how the virus is spreading. The anonymised material can also be used by other researchers for scientific research.

We do not collect your DNA
We will ask for your permission if we want to keep your personal data longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.

We keep recordings of conversations with the call centre for 14 days. We use them to check the quality of our work and handle complaints. We delete the recordings after 14 days. Sometimes, there is a complaint or problem related to the recording. If this happens within the 14 days, then we keep the recording until we have dealt with the complaint or solved the problem. We make reports based on the speech analysis of the recordings and keep these reports for up to 14 months. They don’t contain any personal data.

If you contact GGD GHOR Nederland’s back office to check the data used for your test certificates or proof of recovery, the telephone conversation will be recorded. We will keep the recording for 4 weeks.

How do we protect your personal data?
We think it is important to keep your personal data safe. To do that, we make agreements with the people and organisations that process the data for us. The agreements say what they can do with your data for us.

What else do we do?

We make sure that we work with secure systems. We test this, or have it tested for us.
We make sure that employees who work with your personal data know what they can and cannot do with the data. They must keep the personal data confidential.
We make sure that we work according to a fixed procedure. We also follow the laws and regulations about personal data.

What are your rights?
These are your rights under the law:

You have the right to receive correct information about what happens with your personal data.
You have the right to see your personal data. You can get a copy of this data.
If your data is incorrect, you can ask us to correct it.
In some cases, you can ask us to delete your personal data.
In some cases, you can object to the use of your personal data.

You can contact the GGD that performed your test for all of these situations.

Do you have questions or complaints about the use of your personal data?
Do you have questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that performed your test. Every GGD has a Privacy Statement. This tells you who the Officer is.

Appendix 1 lists the website addresses for all GGDs.

You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What can you do if you don’t agree with the outcome or the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this at this website.

Changes
We will adjust this privacy statement as necessary. For example, if we have to change who processes personal data, or which personal data we use.

We last updated this statement on July 23, 2021.